JP2016536667A - Complex scoring for malware detection - Google Patents

Abstract

The described systems and methods allow computer systems to be protected from malware such as viruses, Trojan horses, and spyware. For each of a plurality of executable entities (such as processes and threads executing on a computer system), the scoring engine records a plurality of evaluation scores, each score being determined by a separate evaluation criterion. Each time an entity meets the evaluation criteria (eg, performs an action), the respective score of the entity is updated. Updating an entity's score may trigger an update of the score of an entity associated with the respective entity even when the associated entity is terminated, ie, no longer active. Related entities include, among other things, the parent of each entity and / or the entity that injects code into each entity. The scoring engine determines whether an entity is malicious or not by a plurality of evaluation scores for each entity.

Description

  [0001] The present invention relates to systems and methods for protecting computer systems from malware.

  [0002] Malicious software, also known as malware, affects many computer systems around the world. In its many forms, such as computer viruses, worms, rootkits, and spyware, malware poses a serious danger to millions of computer users, especially for the loss of data and sensitive information, theft of personal information (Identity theft), as well as making it vulnerable to loss of productivity.

  [0003] Security software may be used to detect malware that contaminates a user's computer system and in addition to remove such malware or stop the execution of such malware. Several malware detection techniques are known in the art. Some rely on matching a piece of malware agent code with a library of signatures representing malware. Other conventional methods detect a set of behaviors indicative of malware of the malware agent.

  [0004] In order to evade detection and / or weaken the operation of security software, some malware agents either encrypt their code or taint slightly different code versions. Use obfuscation techniques such as use on a computer system (polymorphism). Other exemplary detection avoidance methods divide malicious activity into several actions, each action being performed by a separate agent, possibly with a time delay. In other examples, malware may attempt to actively attack and disable security software, for example, by using privilege escalation and / or by overwriting security software code.

  [0005] There is a strong interest in developing robust and scalable anti-malware solutions to keep up with the rapidly changing set of malware threats.

  [0006] According to one aspect, a host system comprises at least one processor configured to execute an entity management module, an entity evaluator, and a scoring engine. The entity management module is configured to manage a collection of software entities to be evaluated, wherein managing the collection identifies a set of descendent entities of the first entity of the collection and the first entity is terminated. And, accordingly, determining whether all members of the set of descendent entities are terminated when the first entity is terminated, and And removing the first entity from the collection when all members of the set of descendent entities are terminated. The entity evaluator is configured to evaluate the first entity according to the evaluation criteria and correspondingly send an evaluation indicator to the scoring engine when the first entity meets the evaluation criteria. Is done. The scoring engine is to record a first score determined for the first entity and a second score determined for the second entity of the collection, the first and first A score of 2 is determined by the evaluation criteria, in response to recording and recording the first and second scores, and in response to receiving the evaluation indicator, the second score is an evaluation indicator And, accordingly, determining whether the second entity is malicious is determined by the updated second score.

  [0007] According to another aspect, a non-transitory computer readable medium stores instructions that, when executed, cause at least one processor of the host system to receive a collection of software entities to be evaluated. Identifying a set of descendant entities of the first entity of the collection, determining whether the first entity is terminated, and accordingly the first entity Determines whether all members of the set of descendent entities are terminated, and, accordingly, all members of the set of descendent entities are terminated To manage, including removing selected entities from the collection It is formed. The instructions are to record at least one processor with a first score determined for the first entity and a second score determined for the second entity of the collection, The first and second scores are further determined to be recorded as determined by the evaluation criteria. The instructions further configure the at least one processor to evaluate the first entity according to the evaluation criteria in response to recording the first and second scores. The instructions update the second score and update the second score when the first entity meets the evaluation criteria in response to evaluating the first entity with the at least one processor. In response, the second entity is further configured to determine whether the second entity is malicious by the updated second score.

  [0008] According to another aspect, a host system comprises at least one processor configured to execute an entity evaluator and a scoring engine. An entity evaluator is to evaluate a first software entity according to an evaluation criterion, wherein the first software entity performs on the client system, and accordingly the first software entity evaluates When the criteria are met, an evaluation indicator is configured to be sent to the scoring engine. The scoring engine is to update the score with the evaluation indicator in response to receiving the evaluation indicator, the score being determined for a second software entity previously executing on the host system, When the second software entity updates the score, it is configured to do the updating, which is finished. The scoring engine is further configured to perform, in response to updating the second score, determining by the updated second score whether the second software entity is malicious. The

  [0009] According to another aspect, a method includes using at least one processor of a host system to determine whether a first software entity executing on the host system meets an evaluation criterion. The method is the step of updating a score previously determined for a second software entity executing on the host system with at least one processor when the first software entity meets the evaluation criteria. Thus, the second software entity is finished when updating the score, and further includes the updating step, wherein the score is determined by the evaluation criteria. The method includes, in response to updating the second score, using at least one processor to determine whether the second software entity is malicious by the updated second score. In addition.

  [0010] The foregoing aspects and advantages of the present invention will become better understood upon reading the following detailed description and upon reference to the drawings in which:

[0011] FIG. 2 illustrates an exemplary hardware configuration of a host computer system protected from malware, according to some embodiments of the invention. [0012] FIG. 4 illustrates an exemplary collection of software objects that include a security application executing on a host system, according to some embodiments of the invention. [0013] FIG. 5 illustrates an exemplary collection of software objects that include security applications executing inside a virtual machine in a host system configured to support virtualization. [0014] FIG. 6 illustrates an exemplary hierarchy of software objects executing on a host system at various processor privilege levels, including a collection of anti-malware objects, according to some embodiments of the invention. [0015] FIG. 4 illustrates an exemplary sequence of steps performed by the entity management module of FIG. 3, according to some embodiments of the invention. [0016] FIG. 6 illustrates an example scoring engine that receives a plurality of entity evaluation indicators determined for a software entity by a plurality of entity evaluator modules according to some embodiments of the invention. [0017] FIG. 4 illustrates an exemplary execution flow of a set of processes in a Windows environment, where solid arrows indicate an exemplary execution flow when no anti-malware system is present, and dashed arrows indicate , Illustrates modifications to the execution flow, which modifications are introduced by multiple entity evaluators that operate in accordance with some embodiments of the present invention. [0018] FIG. 4 illustrates an exemplary sequence of steps performed by an entity evaluator module, according to some embodiments of the invention. [0019] FIG. 7 illustrates a plurality of example entity scoring objects (ESOs), each ESO determined for a respective software entity according to some embodiments of the present invention. The exemplary data fields of the ESO include an entity identification information indicator EID, a plurality of scores S _i , and an aggregate score A that are determined for each entity, among others. [0020] Illustrate an exemplary set of score values and various exemplary sets of weights used by the scoring engine to score a software entity, according to some embodiments of the invention. It is a figure to do. [0021] FIG. 4 illustrates an exemplary sequence of steps performed by a scoring engine (FIGS. 3-4), according to some embodiments of the present invention. [0022] FIG. 6 illustrates an exemplary configuration comprising a plurality of host systems connected to a security server via a computer network. [0023] FIG. 6 illustrates an exemplary anti-malware transaction between a host system and a security server, according to some embodiments of the present invention.

  [0024] In the following description, it should be understood that all described connections between structures can be direct operable connections or indirectly operable connections through an intermediate structure. A set of elements includes one or more elements. Any description of an element should be understood to refer to at least one element. The plurality of elements includes at least two elements. Unless otherwise required, any described method steps need not necessarily be performed in a particular illustrated order. A first element (eg, data) derived from the second element is generated by processing the first element equal to the second element, and the second element and optionally other data. The first element to be included. Making a determination or judgment by parameter includes making a determination or judgment by parameter and optionally other data. Unless otherwise specified, some amount / data indicator may be the amount / data itself or a different indicator than the amount / data itself. Unless otherwise specified, a process represents an instance of a computer program, which is a sequence of instructions that determines that a computer system performs a specified task. Computer-readable media includes non-transitory media such as magnetic, optical, and semiconductor storage media (eg, hard drives, optical disks, flash memory, DRAM), and communication links such as conductive cables and optical fiber links. . According to some embodiments, the present invention particularly relates to a computer system comprising hardware (eg, one or more processors) programmed to perform the methods described herein, and the book A computer readable medium encoding instructions for performing the methods described herein is provided.

[0025] The following description illustrates embodiments of the invention by way of example and not necessarily limitation.
[0026] FIG. 1 illustrates an exemplary hardware configuration of a host system 10 that implements anti-malware operations, according to some embodiments of the present invention. The host system 10 may represent an enterprise computing device such as an enterprise server or an end user device such as a personal computer or smartphone, among others. Other host systems include entertainment devices such as TVs and game consoles, or any other device with memory and processor that supports virtualization and requires malware protection. Although FIG. 1 shows a computer system for illustrative purposes, other client devices such as mobile phones or tablets may have different configurations. In some embodiments, the system 10 includes a processor 12, a memory unit 14, a set of input devices 16, a set of output devices 18, a set of storage devices 20, and a network adapter, all connected by a set of buses 24. It comprises a set of physical devices, including 22 sets.

  [0027] In some embodiments, the processor 12 comprises a physical device (eg, a multi-core integrated circuit) configured to perform computational and / or logical operations with a collection of signals and / or data. In some embodiments, such logic operations are delivered to the processor 12 in the form of a sequence of processor instructions (eg, machine code or other type of software). The memory unit 14 may comprise volatile computer readable media (eg, RAM) that stores data / signals that are accessed or generated by the processor 12 in the course of executing instructions. Input device 16 may include, among other things, a computer keyboard, mouse, and microphone, including respective hardware interfaces and / or adapters that allow a user to introduce data and / or instructions into system 10. Output device 18 may include a display device, such as a monitor and speakers, and a hardware interface / adapter, such as a graphics card, among others, that allow system 10 to communicate data to the user. In some embodiments, input device 16 and output device 18 may share a common piece of hardware, as in the case of touch screen devices. Storage device 20 includes a computer-readable medium that enables non-volatile storage, reading, and writing of software instructions and / or data. The exemplary storage device 20 includes magnetic and optical disks and flash memory devices, and removable media such as CD and / or DVD disks and drives. The collection of network adapters 22 enables the system 10 to connect to a computer network and / or to other devices / computer systems. Bus 24 collectively represents multiple systems, peripherals, and chipset buses, and / or all other circuitry that allow devices 12-22 of host system 10 to communicate with each other. For example, the bus 24 may comprise, among other things, a north bridge that connects the processor 12 to the memory 14 and / or a south bridge that connects the processor 12 to the devices 16-22.

  [0028] FIG. 2-A illustrates an exemplary set of software objects executing on the host system 10 in a configuration that does not use hardware virtualization. In some embodiments, the guest operating system (OS) 34 includes software that provides an interface to the hardware of the host system 10 and serves as a host for a collection of software applications 42a-c and 44. The OS 34 may include any widely available operating system such as Windows®, MacOS®, Linux®, iOS®, or Android®, among others. Applications 42a-c may include word processing, image processing, databases, browsers, and electronic communication applications, among others.

  [0029] FIG. 2-B illustrates an exemplary set of software objects executing on the host system 10 in an embodiment using hardware virtualization. A set of guest virtual machines 32 a-b is exposed by the hypervisor 30. Virtual machines (VMs) are commonly known in the art as software emulations of actual physical machine / computer systems, each capable of running its own operating system and software independently of other VMs. ing. The hypervisor 30 includes software that enables multiplexing (sharing) of hardware resources of the host system 10 such as processor operations, memory, storage devices, input / outputs, and networking devices by multiple virtual machines. In some embodiments, the hypervisor 30 allows multiple virtual machines and / or operating systems (OS) to run on the host system 10 simultaneously with varying degrees of isolation. To enable such a configuration, the software that forms part of the hypervisor 30 is capable of creating multiple virtualized, ie software emulated devices, each virtualized. The device emulates the physical hardware devices of the system 10, such as the processor 12 and memory 14, among others. The hypervisor 30 may further assign a set of virtual devices to each VM running on the host system 10. Thus, each VM 32a-b operates as a complete computer system, to a greater or lesser extent, as if the VM owned its own set of physical devices. Creation and assignment of virtual devices to virtual machines is commonly known in the art as exposing each VM. Examples of popular hypervisors include VMware Inc., among others. VMware vSphere (TM) and an open source Xen hypervisor.

  [0030] In some embodiments, the hypervisor 30 includes a memory introspection engine 40 that is configured to perform anti-malware operations as described further below. The engine 40 may be embedded within the hypervisor 30 or supplied as a software component that is separate and independent of the hypervisor 30 but runs at a processor privilege level that is substantially similar to the hypervisor 30. Can be sent. A single engine 40 may be configured to malware protect multiple VMs running on the host system 10.

  [0031] Although FIG. 2-B shows only two VMs 32a-b for simplicity, the host system 10 is capable of operating a large number, eg, hundreds of VMs, at the same time. The number of can vary during operation of the host system 10. In some embodiments, each VM 32a-b can run a set of guest operating systems 34a-b and / or software applications 42d-e and 42f, simultaneously, and other VMs running on the host system 10, respectively. Run independently. Each OS 34a-b includes software that provides an interface to the (virtualized) hardware of the respective VM 32a-b, and acts as a host for computing applications running on the respective OS.

  [0032] In some embodiments, the security application 44 is configured to perform an anti-malware operation as detailed below to protect the host system 10 from malware. In the example of FIG. 2-B, an instance of application 44 can be executed on each VM 32a-b, and each such instance is configured to protect a respective virtual machine. Security application 44 may be a stand-alone program or may form part of a software suite that includes, inter alia, anti-malware, anti-spam, and anti-spyware components.

  [0033] FIG. 3 illustrates a hierarchy of software objects executing on the host system 10 according to some embodiments of the invention. Although FIG. 3 illustrates an exemplary embodiment configured to run in a virtualized environment, the illustrated embodiment may be modified to run directly on the host system 10 instead of inside the VM 32. This can be apparent to those skilled in the art. FIG. 3 is represented in terms of processor privilege levels, also known in the art as layers or guard rings. In some embodiments, each such layer or guard ring is characterized by a set of instructions that are allowed to be executed by software objects executing at the respective processor privilege level. When a software object attempts to execute an instruction that is not enabled within each privilege level, the attempt may trigger a processor event, such as an exception, failure, or virtual machine exit event. In some embodiments, switching between privilege levels may be achieved by a dedicated set of instructions. Such exemplary instructions include: SYSCALL / SYSENTER switching from user level to kernel level, SYSRET / SYSTEMX switching from kernel level to user level, VMCALL switching from either user level or kernel level to root level, and root level VMRESUME to switch to either kernel level or user level.

  [0034] Most components of the operating system 34 run at a processor privilege level known in the art as the kernel level or kernel mode (eg, ring 0 on the Intel platform). The application 42g executes with processor privileges (for example, ring 3 or user mode) inferior to the OS 34. In embodiments that support virtualization, the hypervisor 30 is a processor at the most privileged level (e.g., Ring-1 or VMXroot on the Intel platform), also known as the root level or root mode. 12 to expose the virtual machine 32 to the OS 34 and other software objects such as the application 42g.

  [0035] In some embodiments, portions of security application 44 may execute at the same level as user level processor privileges, ie, application 42g. For example, such a portion may include a graphical user interface that informs the user of any malware or security threat detected on the respective VM, eg desired for application 44 Receive input from the user indicating configuration options. Another example of a component that executes at the user level is a user level entity evaluator 50a that operates as detailed below. In some embodiments, the portion of the user level entity evaluator 50a is capable of operating within the security application 44, while another portion (such as a hooking module) is evaluated application such as the application 42g. Can work inside. Other parts of application 44 may run at the kernel privilege level. For example, application 44 may install anti-malware driver 36, entity management module 37, and scoring engine 38, all operating in kernel mode. The driver 36 is, for example, an anti-malware application for scanning memory for malware signatures and / or detecting processes indicative of malware in processes and / or other software objects executing on the OS 34. Provides functionality for 44. In some embodiments, anti-malware driver 36 includes a kernel level entity evaluator 50b that operates as detailed below.

  [0036] In some embodiments, the entity management module 37 manages a collection of software entities that execute within the host system 10 (or VM 32). In some embodiments, the collection includes all entities that have been evaluated against malware by an entity evaluation module, such as 55a-b. To manage the collection, the module 37 adds and / or adds entities to the collection in response to detecting the occurrence of a lifecycle event such as an entity start and / or end event as indicated in the mode details below. Can be removed. Module 37 determines the child entity (eg, child process) of the parent entity and / or whether the selected entity has injected a software object such as a library into another entity or is selected. Relationships between entities may be further determined, such as determining whether an entity is subject to injection by another software entity. A child entity is an executable entity created by another executable entity called a parent entity, and the child entity executes independently of the parent entity. Exemplary child entities are, for example, child processes created by the Windows OS CreateProcess function or by a fork mechanism in Linux. Code injection is a technique for introducing a sequence of code, such as a dynamic link library (DLL), into the memory space of an existing process to show a group of ways to modify the original functionality of each process. A generic term used in the field. In order to perform tasks such as detecting process invocations and / or detecting code injections, module 37 calls the certain OS function or hooks, etc. Any method known in can be used. For example, in a system running a Windows OS, module 37 registers a PsSetCreateProcessNotifyRoutine callback to detect the start of a new process and / or hooks the CreateRemoteThread function to inject injected code. Execution can be detected.

  [0037] FIG. 4 illustrates an exemplary sequence of steps performed by the entity management module 37, according to some embodiments of the invention. In the sequence of steps 250-252, module 37 intercepts entity lifecycle events using, for example, the methods described above. When such an event occurs, step 254 identifies the entity that triggers the respective event. Step 258 may include determining a unique entity identification indicator (EID) for each entity, such an indicator when scoring each entity, as further described below. Can be used. Step 256 determines whether the event includes the activation of a new entity (eg, a new process), and if no (NO), module 37 proceeds to step 260. When the event includes an activation, at step 258, module 37 may add the triggering entity to the collection of entities to be evaluated. Step 260 includes determining whether the event includes a parent entity that produces a child entity, and if no, module 37 may proceed to step 264. When yes (YES), at step 262, module 37 may add each child entity to the collection of entities to be evaluated. Step 262 may further include determining the EID of the child entity and registering the relationship between the triggering entity and the child entity as a derived (parent-child) relationship.

  [0038] In some embodiments, step 264 determines whether the event includes a code injection, and if no, module 37 may proceed to step 268. When yes, module 37 may identify the source entity and the target entity for code injection, which injects code into the target entity. At step 266, module 37 may register a code injection type relationship between the source entity and the target entity.

  [0039] At step 268, the entity management module 37 determines whether the event includes the end of the triggering entity, and if no, the module 37 returns to step 250. In some embodiments, entities are considered terminated when all components of each entity have finished executing. For example, a process is terminated when all threads of the respective process have finished executing. When the event included the end of the triggering entity, module 37 may determine a set of descendant entities of the triggering entity at step 270. In some embodiments, the descendent entities of the triggering entity include child entities of each entity and child entities of those child entities over multiple generations. In some embodiments, descendent entities may recursively include a target entity that includes code injected by the triggering entity and an entity targeted by the targeted entity. At step 272, module 37 may determine whether all entities in the set of descendent entities are finished, and if no, execution returns to step 250. When all descendants are finished, at step 274 entity management module 37 may remove the triggering entity from the collection of evaluated entities.

  [0040] In some embodiments, scoring engine 38 receives data from a plurality of entity evaluator modules, such as evaluators 50a-b, where the data is for the software entity being evaluated. It is determined to receive and to determine, depending on the respective data, whether each entity is malicious. In some embodiments, software entities analyzed by scoring engine 38 include executable objects such as processes and execution threads, among others. A process is an instance of a computer program, such as an application or part of an operating system, characterized by having at least a thread of execution and a section of virtual memory allocated to it by the operating system, each section executing Contains possible code. In some embodiments, the evaluated software entities vary in substantial scope and complexity, for example, from individual threads to individual applications, to entire instances of the operating system and / or virtual machine. obtain.

  [0041] FIG. 5 illustrates an exemplary scoring engine 38 that receives a plurality of evaluation indicators 52a-d, where each indicator 52a-d is determined by an entity evaluator. Such evaluators in FIG. 5 include, among other things, a user level entity evaluator 50a, a kernel level entity evaluator 50b, and a system call evaluator 50c. Each such evaluator module may be executed independently of the other evaluators, and each may determine a plurality of separate entity evaluation indicators for the software entity being evaluated. In systems that implement hardware virtualization, some evaluation indicators, such as indicators 52a-c in FIG. 5, are determined by components that run inside VM 32, while other evaluation indicators, such as 52d, Determined by components executing outside VM 32 (eg, by memory introspection engine 40). In some embodiments, each rating indicator 52a-d includes an entity identification indicator that causes the engine 38 to make each rating indicator unique to the software entity for which the rating indicator was determined. Can be associated with each other.

  [0042] Some evaluation indicators may be indicative of malware, that is, may indicate that the entity being evaluated is malicious. Some rating indicators may not themselves indicate malware, but may indicate malicious when combined with other rating indicators. Each rating indicator 52a-d may be determined by a separate method and / or criteria. An exemplary evaluation criterion is that the entity being evaluated has a certain action, such as writing to a disk file, editing the VM32 system registration key, or writing to a memory page belonging to a protected software object. Behavior criteria such as deciding whether to implement Another exemplary criterion may include determining whether a section of memory belonging to the entity being evaluated contains a signature indicative of malware.

  [0043] To illustrate the operation of entity evaluators 50a-c, FIG. 6 illustrates an exemplary execution flow of a collection of software entities 70a-b, according to some embodiments of the present invention. For simplicity, the selected entities 70a-b are processes that run on an instance of the Windows OS, but similar diagrams can be depicted for other operating systems such as Linux, for example. . A solid arrow represents the execution flow when the entity evaluator does not exist (eg, when the security application 44 does not exist). Dashed arrows represent modifications to the flow due to the presence of entity evaluators 50a-c, performed in accordance with some embodiments of the present invention.

  [0044] Process 70a loads a plurality of dynamically linked libraries (DLLs) 72a-c, and in the example of FIG. 6, DLL 72c is injected into process 70a by (possibly malicious) process 70b. . Each instruction when process 70a (or one of its loaded DLLs) executes an instruction that invokes some system functionality, for example, writes something to a disk file or edits a registry key Is KERNEL32. DLL or NTDLL. Call a user mode API such as DLL. In the example of FIG. 6, each user mode API call is intercepted and analyzed by the user level behavior filter 50a. Such interception can be achieved by methods such as DLL injection or hooking, among others. Hooking is a generic term used in the art for a method of intercepting function calls, messages, or events that are passed between software components. One exemplary hooking method includes modifying the target function entry point by inserting an instruction that redirects execution to a second function. Following such hooking, a second function may be executed in place of or before the target function. In the example of FIG. 6, the anti-malware driver 36 is KERNEL 32. DLL or NTDLL. You can hook into certain functions in the DLL and instruct each function to redirect execution to the filter 50a. Thus, filter 50a may detect that process 70a is attempting to perform a certain behavior that is identified by the function being hooked. When filter 50a detects such behavior, filter 50 may formulate evaluation indicator 52a and send indicator 52a to scoring engine 38 (eg, see FIG. 5).

  [0045] In a typical flow of execution, a user mode API function called by entity 70a may request a service from the operating system kernel. In some embodiments, such operations are performed by issuing system calls such as SYSCALL and SYSENTER on x86 platforms. In the example of FIG. 6, such a system call is intercepted by the system call evaluator 50c. In some embodiments, such intercepting includes, for example, modifying a system call handler routine by changing a value stored in a model specific register (MSR) of processor 12, which may include executing Is effectively redirected to the filter 50c. Such a technique is known in the art as MSR hooking so that the system call evaluator 50c is attempting to perform a certain system call by the process being evaluated. Can be detected. When such a system call is intercepted, the system call filter 50c may formulate an entity evaluation indicator 52c and send the indicator 52c to the scoring engine 38.

  [0046] Following the system call, control of the processor is typically taken over to the OS 34 kernel. In some embodiments, the kernel level entity evaluator 50b intercepts certain behaviors of the OS kernel and thus attempts to perform certain behaviors where the evaluated process can be malicious. Configured to determine what is being attempted. In order to intercept such operations, some embodiments may use a set of filtering mechanisms built into and exposed by OS 34. For example, in Windows OS, FltRegisterFilter can be used to intercept operations such as creating a file, opening a file, writing to a file, and deleting a file. In another example, the evaluator 50b may use an ObRegisterCallback to intercept an operation to create or duplicate an object handle, or a PsSetCreateProcessNotifyRoutine to intercept the creation of a new process. In yet another example, Windows registry operations such as creating and setting registry keys / values may be intercepted using CmRegisterCallbackEx. Similar filtering mechanisms are known in the art for other operating systems, such as Linux. When kernel mode entity evaluator 50b intercepts such operations, evaluator 50b may formalize entity evaluation indicator 52b and send indicator 52b to scoring engine 38.

  [0047] Any interprocess communication method may be used by those skilled in the art to transmit data, such as entity evaluation indicators 52a-c, from scoring devices 50a-c to scoring engine 38. For example, to communicate between a user mode component and a kernel mode component, the evaluators 50a-c and the engine 38 may be configured to use a shared section of memory. When data exchange is required between a component executing inside VM 32 and a component executing outside each VM, such communication is optional as known in the art of virtualization. Can be implemented using For example, to send the evaluation indicator 52d from the memory introspection engine 40 to the scoring engine 38, some embodiments use an interrupt injection mechanism to cause the engine 38 to send data to the outside of each VM. Signaling that it is being sent from. The actual data can be transferred, for example, by the shared memory section described above.

  [0048] FIG. 7 is an illustration of steps performed by an entity evaluator, such as evaluator 50a-c and / or memory introspection engine 40 in FIGS. 4-5, according to some embodiments of the invention. Shows a typical sequence. In the sequence of steps 302-304, the entity evaluator waits for the occurrence of a trigger event within the host system 10 and / or the virtual machine 32. Exemplary trigger events include, among other things, issuing specific processor instructions, attempting to use a specific piece of hardware such as storage device 20 or network adapter 22, or writing to a protected memory page. Includes software entities that perform certain behaviors, such as trying to try. For example, the trigger event for the evaluator 50c may include a software entity that issues a system call (eg, SYSTEMER). Another example of a trigger event for the evaluator 50d may include an application that calls a function of the UrlDownloadToFile API. In order to detect the occurrence of a trigger event, each entity evaluator may use any method known in the art, such as code injection and MSR hooking, among others. Some examples of trigger event intercepts are described above with respect to FIG.

  [0049] When trigger events are detected, at step 306, the entity evaluator may identify software entities (eg, processes) that cause each trigger event. In some embodiments, the entity evaluator may determine the identity of the software entity from a data structure used by the OS 34 to represent each process and / or thread currently executing. For example, in Windows, each process is represented as an executive process block (EPROCESS), which identifies, among other things, the handle to each of the respective process's threads and the process by which the OS 34 executes each process. It contains a unique process ID that makes it possible to Similar process / thread representations are available for other OSes such as Linux.

  [0050] In step 308, the entity evaluator may stylize an evaluation indicator, the evaluation indicator being implemented by the identifier (eg, process ID) of each software entity and each software entity, Contains an indicator of the type of action / event intercepted at 302-304. In some embodiments, the entity evaluator may determine the type of action and / or behavior of each software entity from the parameters of the intercepted trigger event. In an example operation, when a process attempts to download a file from the Internet, the user level entity evaluator 50a may intercept the attempt. In addition to identifying which process is performing the action, the evaluator 50a further includes, among other things, the type of action (downloading the file), the IP address from which the file is downloaded, and the downloaded The disk location of the file can be determined. Such data can be selectively incorporated into the evaluation indicator, which allows the scoring engine 38 to determine that entity X has performed action Y with parameter Z. In step 310, the entity evaluator sends an evaluation indicator to the scoring engine 38.

[0051] In some embodiments, the scoring engine 38 and / or the entity management module 37 is a centralized version of the software entity being evaluated, such as processes and threads executing on the host system 10 (or VM 32). Maintain a knowledge base. FIG. 8 shows a set of evaluated entities 70c-e, each represented as an exemplary entity scoring object (ESO) 74a-c. Each ESO includes a plurality of data fields, some of which are illustrated in FIG. Such fields may include a unique entity identifier (EID) 76a, a plurality of evaluation scores 76b, and an aggregate score 76d. In some embodiments, rating score 76b is determined by rating indicators 52a-d received by engine 38 from individual entity evaluators. Each such score may be determined by the evaluation criteria identified by indicator 76c. In some embodiments, the evaluation score 76b has a one-to-one correspondence with the evaluation criteria 76c so that each score is considered to be according to a respective criterion. For example, the particular criteria C _k may include determining whether the evaluated entity downloads the file from a computer network such as the Internet. In one such example, each score S _k may be given only if the evaluated entity attempts to download.

[0052] In some embodiments, the ESO 74a may further include a set of flags 76e. Some flags 76e may be binary indicators (eg, 0/1, yes / no). In one such example, the flag may indicate whether each evaluated entity E ₁ meets certain evaluation criteria (eg, whether E ₁ is an executable file downloaded from the Internet, E ₁ Indicates whether to run in command line mode, etc.). Another exemplary flag, which shows the classification of entities E _1, for example, E ₁ is Trojan malware, browser object, PDF reader applications, such as other things belonging to a specific category of objects It is an indicator. An exemplary use of the flag includes a situation where an update of the evaluation score S _i of entity E ₁ triggers an update of another evaluation score S _j of E ₁ (see below). The flag may be used to turn on and off such a co-update mechanism. For example, when E ₁ meets the evaluation criterion C _i (eg, when the entity performs a specific action), the entity E ₁ may further be known to be highly likely to meet the criterion C _j. . Accordingly, a flag F ₁ indicating a connection <C _i , C _j > that triggers an update of the score S _j when the score S _i is updated may be set for the entity E ₁ .

[0053] The ESO 74a may further include an end indicator 76f that indicates whether each entity is currently active or has ended. Such an end indicator may allow scoring engine 38 to keep a record of the entities that have ended and / or update the scores of those entities. ESO74a may further comprise a set of identifiers of the software entity to be associated with the respective entities _{E 1.} Examples of such related software entities may include a set of E ₁ parent entities represented by identifier 76g and a child entity of E ₁ represented by identifier 76h. ESO74a identifies the software entity E ₁ is injected code within a set of indicators of the injection target entity (item 76j) further and identifies the software entity that inject code into the E _1, injection occurs It may further include a set of source entity indicators (item 76k).

[0054] In some embodiments, scoring of the evaluated software entity proceeds with a set of score values, and even with additional parameters. FIG. 9 illustrates such data, and a set of score values is represented by item 80. The score values are indexed by their corresponding evaluation criteria C ₁ ,... C _n . Each such value may be, for example, if the entity being evaluated meets the respective evaluation criteria (for example, if the entity downloads a file from the Internet, the entity will receive the MS Word® document). ) May represent a predetermined number of points received in others).

[0055] Exemplary parameters that control scoring include a set of initialization weights 82a, a set of propagation weights 82b, a set of new instance weights 82c, a set of exception weights 82d, and flag-induced ) Includes a set of weights 82e. Weight 82a~e, the evaluation criteria _C 1, are indexed by ... _{C n.} Some types of weights have a one-to-one correspondence with evaluation criteria such that one weight value w _i exists for each C _i . Other types of weights have a one-to-many correspondence with evaluation criteria. One such example is the exception weight 82d in FIG. 9, where there may be multiple weights w _ij corresponding to a particular evaluation criterion C _i . The weights may be grouped by entity class or category, as illustrated by the example of FIG. 9, for example, a first applicable to a word processing application (eg, MS Word®). A weight value, a second weight value (possibly separate from the first) applicable to a web browser (eg, Firefox® and MS Internet Explorer®), and a file manager There may be a third weight value applicable to the application (eg, Windows Explorer®). It can be useful to distinguish between different categories of entities because some metrics may be more indicative of malware against one category of entities than others. It is from. More generally, each scoring weight can be indexed by a tuple <C _i , E _k ,...>, Where C _i represents a specific evaluation criterion, and E _k Represents the entity being evaluated. The actual data format for storing and accessing the scoring weights 82a-e may vary between embodiments. The weights 82a-e may be stored as a matrix, list, relational database (RDB), or extensible markup language (XML) structure, among others. An exemplary use of weights for scoring will be discussed below.

  [0056] The score value 80 and / or weights 82a-e are predetermined by, for example, a human operator. In some embodiments, such values can change over time and can be adjusted to optimize malware detection. The updated score values and / or weight values can be sent to the host system 10 from the security server as periodic and / or on-demand software updates (see below related to FIGS. 10-11). Wanna)

  [0057] FIG. 10 illustrates an exemplary sequence of steps performed by the scoring engine 38, according to some embodiments of the present invention. At step 302, engine 38 receives an entity evaluation indicator from an entity evaluator, eg, one of evaluators 50a-c in FIG. In some embodiments that implement hardware virtualization, the engine 38 receives the respective entity evaluation indicator from a component that executes outside the respective virtual machine (eg, the memory introspection engine 40 in FIG. 5). Can be received. At step 304, engine 38 may identify the software entity for which each entity evaluation indicator was determined, for example, by an entity ID embedded in each evaluation indicator (see above with respect to FIG. 7). .

[0058] Next, scoring engine 38 performs the blocks of steps 318-332 for entity E identified in step 304 and for other entities associated with E. Such related entities may include, among other things, the parent and child entities of E, the injected entity into which E injected the code, and the injection source entity that injected the code into E. In this manner, each time engine 38 receives an evaluation indicator (eg, indicating that entity E has performed a particular action), blocks 318-332 are associated with E as well as entity E's evaluation score. The evaluation score of the selected entity may also be updated and executed several times. In some embodiments, blocks 318-332 are performed once for E and once for each entity E ^* associated with E. In an alternative embodiment, blocks 318-332 are performed recursively until some convergence criterion is met. An exemplary convergence criterion verifies whether the evaluation score for E and / or E ^* changes between successive executions of blocks 318-332 and exits when no such change exists (exiting). )including. In the exemplary algorithm of FIG. 10, the variable X is used to indicate the entity that currently receives the score update. In step 316 X is set to entity E identified in step 304.

  [0059] At step 318, engine 38 updates entity X's evaluation score (eg, entity 76b in FIG. 8). In some embodiments, updating the evaluation score includes replacing the recorded value of each evaluation score with a new value.

S _k ^(X) → S _k ^(X) + ΔS _k [1]
Where S _k ^(X) represents, for entity X, an evaluation score determined by the evaluation criterion C _k , and ΔS _k represents an increase that can be positive or negative (in some embodiments). The rating score can be reduced upon update).

[0060] In some embodiments, the score increment ΔS _k is determined by the scoring engine 38 according to an evaluation indicator received at step 312. Each indicator may include a score and / or may indicate an evaluation criterion used in determining each indicator. In some embodiments, the scoring engine 38 determines the score increase ΔS _{k according} to the score value 80 (see FIG. 9) corresponding to each evaluation criterion C _k , for example,

ΔS _k = V _k [2]
However, V _k represents the score value 80 assigned to the reference C _k . In one such example where the criterion C _k includes determining whether the entity X downloads the object from the network and V _k = 20, the evaluation score S _k ^(X) Each download will be increased by 20 points. In some embodiments, ΔS _k = εV _k , where ε is a binary exception weight that enforces that the score S _k is updated only for a subset of the evaluated entities (eg, FIG. 9) (See item 82d in FIG. 9). Such exception weights are useful, for example, to distinguish between various types of entities being evaluated. For example, browsers should be allowed to access an unlimited number of IP addresses without raising the suspicion of malware, and the criteria including detecting Internet access can be used against browser-type entities. By setting the exception weight to 0 while keeping the exception weight active for other types of entities (ε = 1), it can be effectively switched off for the browser object.

[0061] In some embodiments, the score increment ΔS _k used in updating the evaluation score of entity X is determined by the evaluation score determined for entity X ^* related to X. That is, the score may propagate from one entity to the related entity, such as from child to parent or from the injection subject to the source of the injection. In one such example, an action performed by a child process may trigger not only an update of the score of the entity (child process) that performs the action, but also an update of the score of the parent process of each child process. . Such a score update may include calculating a score increase according to:

ΔS _k = w _k S _k ^{(X *)} [3]
Where w _k represents a numerical criterion-specific weight that indicates the strength with which the score of entity X ^* affects the score of entity X. The weight w _k may include a propagation weight 82b (FIG. 9). Some embodiments distinguish between various such propagation weights, e.g., the weight used to propagate the score from the child entity to the parent entity, the score from the parent entity to the child entity The weight used to propagate to may vary in value. Similarly, the weight used to propagate the score from the child entity to the parent entity is used to propagate the score from the entity targeted for code injection to the entity performing code injection. Weights can differ in value. In some embodiments, the score may propagate from an active entity to an entity that has ended. For example, a child process action may increase the score of the parent process even when the parent process is terminated.

[0062] In some embodiments, entity X ^* in equation [3] is another instance of entity X. For example, X and X ^* can be copies of the same process or thread executing simultaneously. In such cases, the weight w _k may be a new instance weight (eg, item 82c in FIG. 9) or an initialization weight (eg, item 82a). In some embodiments, when a new instance X ′ of entity X is launched, engine 38 updates some or all evaluation scores of existing entity X with the new instance weight w _k. , The score can be propagated from X to X ′. Similarly, when X ′ is invoked, engine 38 updates some or all evaluation scores for X ′ using initialization weights w _k , and the scores are new from the already executing entity X. It can be propagated to entity X ′.

[0063] In some embodiments, updating the evaluation score S _k may trigger an update of a separate evaluation score S _m for each entity. For example, the following equation is obtained.
S _k ^(X) → S _k ^(X) + V _k triggers S _m ^(X) → S _m ^(X) + F ^(X) f _km V _m [4]
However, F ^(X) is a flag set for the entity X (for example, check the item 76e in FIG. 8), and the flag indicates a connection between the evaluation criteria C _k and C _m. F _km is a flag-derived weight (eg, item 82e in FIG. 9) that indicates the strength with which the update of S _k affects the update of S _m of entity X. Want).

  [0064] At step 320, the scoring engine 38 may update the entity X flag (see discussion regarding the above flag relating to FIG. 8) with the evaluation indicator received at step 312. A flag may be set to activate and / or deactivate a score co-update mechanism, such as that described above with respect to equation [4]. In one such example, the entity being evaluated may be identified as a web browser application by the rating indicator (step 312), and such identification may be sent to the scoring engine 38 in the future from the Internet. Should be shown not to score each entity for downloads. This can be achieved by setting the value of a special flag F to 0 for each entity, and the flag F tells the scoring engine 38 when an entity downloads an object from the Internet. Figure 6 shows that the evaluation score of each entity is updated.

  [0065] In step 322, scoring engine 38 may determine the aggregate score for entity X by combining the individual evaluation scores determined for each process, for example, as a sum of the following equations.

  [0066] At step 324, the engine 38 may compare the aggregate score to a predetermined threshold. If the aggregate score does not exceed the threshold, the scoring engine 38 may proceed to step 326 described below. In some embodiments, the threshold may be set to a value determined by user input. Such threshold values may reflect the security preferences of each user. For example, when a user chooses strict security, the threshold can be set to a relatively low value, and when the user prefers a more permissive security setting, the threshold is relatively high Can be set to a value. In some embodiments, the threshold value may be received from a remote security server, as described below with respect to FIGS.

  [0067] In some embodiments, the scoring engine 38 may determine a plurality of aggregate scores at steps 322-324 and compare each aggregate score to a (possibly separate) threshold. Each such aggregate score may be determined by a separate subset of evaluation scores. In an exemplary embodiment, each such subset of scores, and the corresponding subset of those scores of the evaluation criteria, is a specific class or type of malware (eg, Trojan horse, rootkit, etc.) ). This may allow engine 38 to perform a classification of detected malware. In another embodiment, scoring engine 38 uses multiple threshold values to classify executing entities by varying degrees of maliciousness (eg, clean, suspicious, dangerous, and critical). .

  [0068] When the aggregate score is above the threshold, at step 326, the engine 38 may determine that the process being evaluated is malicious and may take anti-malware actions. In some embodiments, such anti-malware actions may, among other things, terminate the evaluated process, quarantine the evaluated process, and resources (file or memory) of the evaluated process. Removing or disabling sections, etc.). In some embodiments, the anti-malware action alerts the user of the host system 10 by, for example, sending a message to the system administrator over a computer network connected to the host system 10 by the network adapter 22; And / or may further include alerting the system administrator. In some embodiments, the anti-malware action may also include sending a security report to a remote security server, as described below with respect to FIGS.

[0069] In the sequence of steps 328-330, the engine 38 may identify the entity X ^* associated with X, in which case the score of X ^* is updated following the current score update of X. I need that. For example, X ^* may be a parent or child entity of X. In some embodiments, entity X ^* may be identified by the ESO fields 76g-k of entity X (eg, see FIG. 8). When no such entity X ^* exists, or when all such entities X ^* have already been considered for score update, the engine 38 returns to step 312. If at least the entity X ^* exists, in step 332, the scoring engine makes X ^{* the} current entity and returns to step 318.

  [0070] The example scoring engine 38 illustrated in FIGS. 3-4 operates within the VM 32 at an OS processor privilege level (eg, kernel mode). In alternative embodiments, the scoring engine 38 may run at the processor privilege level of the hypervisor 30 either inside the VM 32, in user mode, or outside the VM 32.

  [0071] In some embodiments, the introspection engine 40 runs at substantially the same privilege level as the hypervisor 30 and is configured to perform introspection of a virtual machine such as the VM 32 (FIG. 3). The Introspection of software entities executing on or on each VM, among other things, analyzing the behavior of software entities, determining the memory addresses of such entities and / or their memory addresses Access to certain processes, constrain access of certain processes to the contents of memory located at such addresses, analyze such contents, and evaluation indicators for each entity (e.g., figure Determining indicator 52d) at 5.

  [0072] In some embodiments, the host system 10 may be configured to exchange security information, such as details regarding malware detection events, with a remote security server. FIG. 11 illustrates such an exemplary configuration in which multiple host systems 10a-c, such as system 10 discussed above, are connected to security server 110 via computer network 26. Connected. In the exemplary embodiment, host systems 10a-c are individual computers used by corporate employees, while security server 110 is generated on systems 10a-c by the respective corporate network administrator. May comprise a computer system configured to monitor malware threats or security events. In another embodiment, for example, in an infrastructure-as-a-service (IAAS) system where each host system 10a-c is a server that hosts tens or hundreds of virtual machines. The security server 110 may comprise a computer system configured to manage anti-malware operations for all such VMs from a central location. In yet another embodiment, the security server 110 may provide statistical and / or behavioral data regarding malware detected on various systems around the network 26 by an anti-malware software provider (eg, among other things, the provider of the security application 44). A computer system configured to receive the. Network 26 may include a wide area network such as the Internet, while portions of network 26 may include a local area network (LAN).

  [0073] FIG. 12 illustrates an exemplary data exchange between the host system 10 and the security server 110 in an embodiment as shown in FIG. The host system 10 may be configured to send a security report 80 to the server 110 and receive a set of security settings 82 from the server 110. In some embodiments, the security report 80 includes, among other things, entity evaluation indicators 52a-d and / or scores determined by entity evaluators 50a-c and / or 40 executing on the host system 10, and / or The total score determined by the scoring engine 38 is included. Security report 80 includes data identifying each system 10 and the entity being evaluated (eg, entity ID, name, path, hash, or other type of entity identifier), as well as entity evaluation indicators / scores, An indicator associated with the host system and entity for which the indicator / score is determined may also be included. In some embodiments, the report 80 may further include statistical and / or behavioral data regarding entities executing on the host system 10. System 10 may be configured to send report 80 based on detection of malware and / or on schedule (eg, every few minutes, every hour, etc.).

  [0074] In some embodiments, security settings 82 may include entity evaluator operational parameters (eg, parameters of filters 50a-c in FIG. 5) and / or scoring engine 38 parameters. Exemplary parameters of engine 38 include, among other things, a threshold for determining whether the process being evaluated is malicious, as well as score value 80 and weights 82a-e.

  [0075] In some embodiments, the server 110 runs optimization algorithms to dynamically adjust such parameters to maximize malware detection performance, eg, increase detection rates, while false positives To minimize. The optimization algorithm receives statistical and / or behavioral data for various entities executing on the plurality of host systems 10a-c, including entity evaluation indicators / scores reported to the scoring engine 38 by various entity evaluators. The optimum value for the parameter can then be determined. The value is then transmitted over the network 26 to the respective host system.

  [0076] In one such example of optimization, changing the score value 80 may effectively change the relevance of the respective metrics relative to each other. Malware threats typically occur one after another, and many computer systems around the world are affected by the same malware agent in a short time interval. By receiving security reports 80 from multiple host systems in real time, the security server 110 can be kept up to date with current malware threats, and the optimal security settings 82 Settings 82 can include a set of score values 80 that are optimized to detect current malware threats, for example, which can be quickly delivered to each host system.

  [0077] The exemplary systems and methods described above allow host systems, such as computer systems, to be protected from malware, such as viruses, Trojan horses, and spyware. For each of a plurality of executable entities such as processes and threads currently executing on the host system, the scoring engine records a plurality of evaluation scores, each score being determined by a separate evaluation criterion. In some embodiments, the evaluated software entity varies substantially in scope and complexity, for example, from individual execution threads to individual applications, to entire instances of an operating system and / or virtual machine. Can do.

  [0078] Each time a monitored entity meets the evaluation criteria (eg, performs an action), the respective score of the entity is updated. Updating the score of the target entity may trigger a score update for other entities associated with the target entity. Such related entities include, among other things, the child of the target entity, the parent of the target entity, the entity into which the target entity injected code, and the entity that injected the code into the target entity.

  [0079] Conventional anti-malware systems typically score each entity separately from other entities. Some malware divides the malicious activity among several separate agents, such as child processes of the malicious process, which is sufficient to detect any individual agent. By not performing any activities that indicate malware, one may attempt to escape detection. In contrast, some embodiments of the present invention propagate scores from one entity to other related entities, thus reinforcing data indicative of malware across the related entities. Score propagation may ensure that at least one agent involved in malicious activity is detected.

  [0080] In one exemplary escape strategy, a malware agent may spawn and close multiple child processes. Malicious activity can be split between child processes, so that any individual child action may not trigger a malware alert by those actions alone. In some embodiments of the invention, the score may propagate from one entity to another, even when the latter is finished. Such a configuration may detect the parent process as malicious even if it may fail to detect that the child process is malicious. Some embodiments maintain a list of entities that are currently being evaluated, and the list may include both active entities and entities that have ended. Entities can be removed from the list only when all descendants of each entity are terminated.

  [0081] In conventional anti-malware systems, only one score is typically recorded for each entity. By keeping a score for each of a plurality of entities, each calculated by its separate criteria, according to some embodiments of the invention, the scores are propagated between the related entities on a per criteria basis. It becomes possible to be done. Such a score can increase or otherwise decrease based on propagation, thereby providing a more precise assessment of maliciousness throughout the life cycle of each entity, This is possible with fewer false positive detections. In some embodiments, the degree to which a single entity's score affects the associated entity's score can be adjusted by numerical propagation weights. Such weights may vary from entity to entity and / or from evaluation criteria, which allows for flexible and precise adjustment of score propagation. The weight value may be determined by a human operator and / or may depend on an automated optimization aimed at improving malware detection performance.

  [0082] Some conventional anti-malware systems determine whether an entity being evaluated is malicious, whether each entity performs a behavior indicative of malware, and / or This is done by determining whether the entity has characteristics indicative of malware, such as a sequence indicative of malware in the code. In contrast, in some embodiments of the present invention, entity metrics do not necessarily indicate malware by themselves. For example, some criteria include determining whether an entity performs a benign action such as opening a file or accessing an IP address. Nevertheless, such actions can be malicious when combined with other actions, and these other actions themselves may not be indicative of malware by themselves. By monitoring a wide variety of entity behaviors and / or features, recording a large number (sometimes hundreds) of evaluation scores, and summing up such scores in a per-entity manner, Embodiments can increase detection rates while minimizing false positives.

  [0083] Some embodiments of the present invention may protect a virtualized environment. In embodiments configured to support virtualization, some components of the present invention may be executed inside a virtual machine, while others are outside each virtual machine, For example, it can be executed at the level of a hypervisor that exposes each virtual machine. Such a component executing at the hypervisor level may be configured to perform anti-malware operations on multiple virtual machines executing simultaneously on each host system.

  [0084] It will be apparent to those skilled in the art that the above embodiments can be modified in many ways without departing from the scope of the invention. Accordingly, the scope of the invention should be determined by the following claims and their legal equivalents.

Claims (22)

A host system including at least one processor configured to execute an entity management module, an entity evaluator, and a scoring engine,
The entity management module is configured to manage a collection of software entities to be evaluated, and managing the collection includes
Identifying a set of descendant entities of the first entity of the collection;
Determining whether the first entity is terminated;
Accordingly, determining whether all members of the set of descendent entities are terminated when the first entity is terminated;
In response, when all members of the set of descendent entities are terminated, removing the first entity from the collection;
The entity evaluator is
Evaluating the first entity according to an evaluation criterion;
Accordingly, the first entity is configured to send an evaluation indicator to the scoring engine when the first entity meets the evaluation criteria,
The scoring engine
Recording a first score determined for the first entity and a second score determined for a second entity of the collection, wherein the first and second The score of is determined by the evaluation criteria, recording;
In response to recording the first and second scores, and in response to receiving the evaluation indicator, updating the second score with the evaluation indicator;
In response, the second entity is configured to determine whether the second entity is malicious by determining the updated second score;
Host system. The host system according to claim 1, wherein the scoring engine is
Responsive to receiving the rating indicator, updating the first score with the rating indicator;
In response, the host system further configured to determine whether the first entity is malicious by determining the updated first score.   The host system according to claim 1, wherein the first entity is a child of the second entity.   The host system according to claim 1, wherein the second entity is a child of the first entity.   The host system of claim 1, wherein the first entity includes a section of code injected by the second entity.   The host system of claim 1, wherein the second entity includes a section of code injected by the first entity.   2. The host system according to claim 1, wherein updating the second score includes changing the second score by an amount determined by w · S, where S is the first score. The host system, where w is the numerical weight. The host system of claim 1, wherein managing the collection of software entities to be evaluated comprises
Intercepting the launch of a new software entity;
In response, the host system further comprising adding the new software entity to the collection. A non-transitory computer readable medium for storing instructions that, when executed, cause at least one processor of a host system to
Managing a collection of evaluated software entities,
Identifying a set of descendant entities of the first entity of the collection;
Determining whether the first entity is terminated;
Accordingly, determining whether all members of the set of descendent entities are terminated when the first entity is terminated;
Accordingly, managing when all members of the set of descendant entities are terminated, removing the selected entity from the collection;
Recording a first score determined for the first entity and a second score determined for a second entity of the collection, wherein the first and second The score of is determined by the evaluation criteria,
In response to recording the first and second scores, evaluating the first entity according to the evaluation criteria;
In response to evaluating the first entity, updating the second score when the first entity meets the evaluation criteria;
Non-temporarily configured to determine whether the second entity is malicious in response to updating the second score, according to the updated second score. Computer-readable medium. The computer-readable medium of claim 9, wherein the at least one processor is
Responsive to evaluating the first entity, updating the first score when the first entity meets the evaluation criteria;
In response, the computer-readable medium further configured to determine whether the first executable entity is malicious by determining the updated first score.   The computer readable medium of claim 9, wherein the first entity is a child of the second entity.   The computer-readable medium of claim 9, wherein the second entity is a child of the first entity.   The computer-readable medium of claim 9, wherein the first entity includes a section of code injected by the second entity.   The computer-readable medium of claim 9, wherein the second entity includes a section of code injected by the first entity.   10. The computer readable medium of claim 9, wherein updating the second score includes changing the second score by an amount determined by w · S, where S is the first score. A computer readable medium with a score of 1 and w is a numerical weight. The computer-readable medium of claim 9, wherein managing the collection of software entities to be evaluated is
Intercepting the launch of a new software entity;
In response, the computer-readable medium further comprising adding the new software entity to the collection. A host system including at least one processor configured to execute an entity evaluator and a scoring engine,
The entity evaluator is
Evaluating the first software entity according to an evaluation criterion, wherein the first software entity is executed on a client system;
In response, the first software entity is configured to send an evaluation indicator to the scoring engine when the first software entity meets the evaluation criteria;
The scoring engine
Responsive to receiving the evaluation indicator, updating a score with the evaluation indicator, the score being determined for a second software entity previously executed on the host system; The second software entity is finished when updating the score, updating;
In response thereto, the second software entity is configured to determine whether the second software entity is malicious by determining the updated second score;
Host system.   18. The host system according to claim 17, wherein the first software entity is a child of the second software entity.   18. The host system of claim 17, wherein the first software entity includes a section of code injected by the second software entity. Determining, using at least one processor of the host system, whether a first software entity executed on the host system meets the evaluation criteria;
Accordingly, a score previously determined for a second software entity previously executed on the host system using the at least one processor when the first software entity meets the evaluation criteria. Updating the second software entity when the score is updated, the score being determined by the evaluation criteria; and
In response to updating the second score, using the at least one processor to determine whether the second software entity is malicious according to the updated second score. Including a method.   21. The method of claim 20, wherein the first software entity is a child entity of the second software entity.   21. The method of claim 20, wherein the first software entity includes a section of code injected by the second software entity.

Images